CBR has teamed up with Darren Gross, EMEA director of unified identity services specialist, Centrify, to examine just how we should be using passwords to ensure our safety online.
Passwords are widely recognised by the security industry as no longer being fit for purpose. Yet at the same time they are ingrained into users psyche as being the ‘correct’ way to log in to applications and devices. This element of human behaviour, and our unquestioning acceptance of passwords, is the very thing that HeartBleed seeks to exploit. As a result, the bug has shone a bright light on passwords and their inadequacy – what learnings can we take away from the last week?
1. Passwords are hard to use and maintain. We’re told that for each individual application that we interact with, we should use a unique password. All very well in theory, but when it comes to remembering them it is a very different kettle of fish.
2. In order to address the fact that, unless you have an eidetic memory, it simply isn’t feasible to remember and manage such a multitude of passwords, we default to either using the same one for everything or something that is easy to remember such as our birthdate or Password1. The problem is that if it’s easy for you to remember, the chances are it’s not going to take a hacker long to work it out either.
3. Passwords are an economic cornerstone of the cyber underworld. Why? Because identity is a valued currency and it’s one that is accepted everywhere. Once a hacker has your password, as far as a website or app is concerned, they are you. So, whilst HeartBleed exposes big chunks of data known by a web server to hackers, passwords are the most obvious target because of their ability to provide access to everything that they are supposed to protect.